CLAIMS 

WHAT IS CLAIMED IS: 

l\ A process for protecting a computer from hostile code, comprising the steps of: 
defining at least two trust groups; 

assigning objects and processes in the computer to one of said trust groups, irrespective of 
the rights of a user of said computer; 

upon operation of a process over an object or over a second process, comparing a trust 
group of the process with a trust group of the object or with the trust group of the second 
process, anci 

allowing the operation according to the results of said comparing step. 

2. The process of claim 1 wherein a process is assigned upon creation to the trust group 
assigned to the passive\pde starting from which the process is created. 

3. The process o^claim 1 further comprising the step of changing the trust group of said 
process after said operationX 

4. The process of claim 1 further comprising the step of changing the trust group of said 
object or of said second process after said operation. 

5. The process of claim 1 lurther comprising, upon creation of an object by a process, 
the step of assigning said created object to the trust group of said process. 

6. The process of claim 1 further comprising, when said operation is allowed, the step 
of assigning said process to the trust group\of said object or of said second process. 

7. The process of claim 1 wherein said trust groups are hierarchically ordered, and 
wherein the step of allowing further comprises\ 

allowing said operation when the trust group of said process is higher or equal in said 
hierarchy than the trust group of said object or of said second process; and 
denying said operation when the trust group of^aid process is lower in said hierarchy than 
the trust group of said object or of said second process. 

8. The process of claim 7 further comprising the^step of assigning said process to the 
trust group of said object or of said second process after thkoperation is allowed. 

9. The process of claim 1 further comprising: \ 
defining at least two types of objects; \ 
assigning objects to one of said types; and \ 

wherein the step of allowing operation over an object is further carried out according to the 
type of said object. \ 

10. The process of claim 1 further comprising: \ 
defining at least two types of processes; \ 



18 



1 . 



i3 

d 

«1 



j=fc 

I 

9 

ill 



assigning processes to one of said types, and 

and wherein the step of allowing operation of a process is further carried out 
according to the type of said process. 

1 1 . The process of claim 1 , further comprising: 
definin^at least two types of operations; and 

wherein tne step of allowing operation of a process over an object or over a second 
process is mrther carried out according to the type of said operation. 

12. The process of claim 1, further comprising: 
defining at least two types of storage methods, 
assigning a trust group to a type of storage methods; and 

carrying out a storage operation for a process of a trust group according to the storage 
method assigned the trust group of said process. 

13. A computer compri sing : 
objects and processes! 

a table of at least two tmst groups, and objects and processes in the computer being 
assigned to one of said trust groups irrespective of the rights of a user of said 
computer; and \ 

a controller configured to access said table and allow an operation of a process over 
an object or over a second process according to the results of a comparison of the 
trust group of said process and\he trust group of said object or the trust group of said 
second process. \ 

14. The computer of claim 13 further Comprising: 

a table of types of at least two typesW objects, the objects in the computer being 
assigned one type; \ 

and wherein the controller accesses saicktable for allowing said operation. 

15. The computer of claim 13, wherein said table of trust groups is stored in a non- 
volatile memory. \ 

16. The computer of claim 13, wherein said tableyof types is stored in a non- volatile 
memory. \ 

17. The computer of claim 13, further comprising a table of rules, and wherein said 
controller accesses said table of rules. \ 

1 8. The computer of claim 13, wherein said table of rules is stored in a non-volatile 
memory. \ 

19. The computer of claim 13, wherein the computer is opWatively coupled to a network, 
the network including a server, the table of trust groups stored in said server. 
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